Security update for the Linux Kernel (Live Patch 31 for SLE 15)

Announcement ID:	SUSE-SU-2022:4027-1
Rating:	important
References:	bsc#1201742 bsc#1201752 bsc#1202087 bsc#1203613 bsc#1204170
Cross-References:	CVE-2020-36557 CVE-2020-36558 CVE-2021-33655 CVE-2022-2588 CVE-2022-42703
CVSS scores:	CVE-2020-36557 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36557 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36558 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36558 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-33655 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33655 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-2588 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-2588 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-42703 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-42703 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Live Patching 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves five vulnerabilities can now be installed.

Description:

This update for the Linux Kernel 4.12.14-150000_150_95 fixes several issues.

The following security issues were fixed:

• CVE-2020-36557: Fixed a race condition between the VT_DISALLOCATE ioctl and closing/opening of ttys that could have led to a use-after-free (bnc#1201429).
• CVE-2020-36558: Fixed a race condition involving VT_RESIZEX which could lead to a NULL pointer dereference and general protection fault (bnc#1200910).
• CVE-2021-33655: Fixed out of bounds write with ioctl FBIOPUT_VSCREENINFO (bnc#1201635).
• CVE-2022-2588: Fixed use-after-free in cls_route (bsc#1202096).
• CVE-2022-42703: Fixed use-after-free in mm/rmap.c related to leaf anon_vma double reuse (bnc#1204168).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Live Patching 15
  zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2022-4027=1

Package List:

• SUSE Linux Enterprise Live Patching 15 (ppc64le x86_64)
  • kernel-livepatch-4_12_14-150000_150_95-default-debuginfo-4-150000.2.1
  • kernel-livepatch-4_12_14-150000_150_95-default-4-150000.2.1

References:

• https://www.suse.com/security/cve/CVE-2020-36557.html
• https://www.suse.com/security/cve/CVE-2020-36558.html
• https://www.suse.com/security/cve/CVE-2021-33655.html
• https://www.suse.com/security/cve/CVE-2022-2588.html
• https://www.suse.com/security/cve/CVE-2022-42703.html
• https://bugzilla.suse.com/show_bug.cgi?id=1201742
• https://bugzilla.suse.com/show_bug.cgi?id=1201752
• https://bugzilla.suse.com/show_bug.cgi?id=1202087
• https://bugzilla.suse.com/show_bug.cgi?id=1203613
• https://bugzilla.suse.com/show_bug.cgi?id=1204170